Add Dynamodb construct with default deletion protection and mandatory opt-in/opt-out setting for DevX-backup

[michaelwmcnamara]

What does this change?

This PR adds a construct for dynamoDB tables
This construct will enable deletion protection by default.
It also adds a mandatory opt-in/opt-out field for aws backups.
This last forces a decision on whether or not to use the AWS backup vault to protect backup data from accidental or malicious deletion.
This decision should almost always be yes, however there are circumstances in which a team might need to use a different form of storage for their backup. The important thing is that the decision is made explicitly.
If users opt-out, they will need to provide a reason for their decision. This is to allow this information to be captured in security audits.

This is a new construct, so will not be a breaking change.

How to test

Unit tests added to cover main scenarios.

How can we measure success?

New stacks created in CDK have deletion protection enabled and a clear decision on whether to opt-in or out of AWS Backups.
It is harder to delete DynamoDB tables by accident.
We do not have a build up of tables whose backup status is unknown and un-tracked.
Our data infrastructure is more secure and more resilient

Have we considered potential risks?

Currently this construct is not in use.
Only risks are:

• The construct is not adopted and teams continue to use the native AWS dynamoDB construct
• As an organisation we suddenly want to switch to a multi-region architecture. This dynamoDB construct uses the original Table construct which does not have as good support for multi-region features - as opposed to the new TableV2 construct.
  This risk is minimal for now as a github search revealed we are using the original Table construct across all our current repositories and the TableV2 is not in use on any of our repos.
  This PR has been optimised to maximise adoption by existing teams.

That said a new DynamoDB construct that uses the TableV2 classes would be a useful addition should any teams ever need to adopt a multi-regioin AWS infrastructure.

Checklist

• I have listed any breaking changes, along with a migration path ¹
• No breaking changes as this is a new construct
• I have updated the documentation as required for the described changes ²

Footnotes

1. Consider whether this is something that will mean changes to projects that have already been migrated, or to the CDK CLI tool. If changes are required, consider adding a checklist here and/or linking to related PRs. ↩

2. If you are adding a new construct or pattern, has new documentation been added? If you are amending defaults or changing behaviour, are the existing docs still valid? ↩

[changeset-bot]

🦋 Changeset detected

Latest commit: 3f9fe30

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@guardian/cdk	Minor

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[jacobwinch]

I think you need to reformat to get the CI build to pass (you can do this with npm run format ). I've also left one comment on the release type (I think this should be a minor release).

Once those small issues have been addressed I think this is good to go 👍

[michaelwmcnamara]

I think you need to reformat to get the CI build to pass (you can do this with npm run format ). I've also left one comment on the release type (I think this should be a minor release).

Once those small issues have been addressed I think this is good to go 👍

Thanks for your help with this @jacobwinch!